-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 08 Jun 2006 15:26:25 +0100 Ian Eiloart <iane@sussex.ac.uk> wrote:
where "sender-pw" is associated with the (claimed) From-address. This is different from, but complementary to, "Approved: list-pw".
That's neither approval nor authorisation, it's authentication -
That's a good point.
Passwords are usually used for both, but it's far better to separate the functions. Knowledge of a personal password serves to authenticate you, but not to authorise you. Knowledge of a shared password is sometimes used for authorisation, but can't be used for authentication. Even for authorisation, passwords are extremely weak.
There has been some interest in the past on associating pubkeys with email addresses and using those to authenticate senders of signed messages. In the long run, that's probably a worthy avenue to pursue.
- -Barry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux)
iQCVAwUBRIhBcnEjvBPtnXfVAQKZTwP/a0ULu7v8TQyrjAgI3Uj/znrsy+Kh24qp ilmE3Y/E9YXiYaSwpgdrLIyIH4zODXspML8l4jnscOBNexlpKNqfY4ZA9ky2oKoI x1YWDZmdVbrWyO5y3pN0bNOhQOkdiBqAs1STv5TP1VoN95eHQQrVlpGTMf6jTGll ZBl3kfV7xrU= =oLd8 -----END PGP SIGNATURE-----